Failed Dovecot Logins

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
My users don't use webmail, and all have static configured office PC's, so have no requirement to know thier own email password, for this reason I'm utilising CSF, where I have IMAP, SMTP or POP3 login failure configured for 1 strike and your'e blocked.

This works, and i see IP's being blocked daily.

However, occasionally, I see CPHULK protecting me against failed Dovecot logins.
This is configured for 4 strikes and your'e out.

Can anyone explain why Dovecot is not being triggered by CSF but pop3, SMPT and IMAP are.
 

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
However, occasionally, I see CPHULK protecting me against failed Dovecot logins.
This is configured for 4 strikes and your'e out.

Can anyone explain why Dovecot is not being triggered by CSF but pop3, SMPT and IMAP are.
Hello,

Could you provide some more details about the specific cPHulk log entry in-question? POP3 and IMAP are both handled with Dovecot.

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
Here is one from last night.

Code:
Brute Force attempt against “[email protected]”.

A device at the “xxx.xxx.xx.xxx” IP address has made a large number of invalid login attempts against the account “[email protected]”. This brute force attempt has exceeded the maximum number of failed login attempts that the system allows. For security purposes, the system has temporarily blocked this IP address in order to prevent further attempts.

Service:

dovecot

Local IP Address:

xxx.xxx.xxx.xxx

Local Port:

110

Remote IP Address:

xxx.xxx.xxx.xxx

Remote Port:

38072

Authentication Database:

mail

Username:

[email protected]

Number of authentication failures:

4
 
Last edited:

cPanelMichael

Administrator
Staff member
Apr 11, 2011
47,884
2,254
463
Hello,

Port 110 is utilized for POP3 connections. Do you see any corresponding entries for the offending IP address in /var/log/maillog?

Thank you.
 

keat63

Well-Known Member
Nov 20, 2014
1,962
267
113
cPanel Access Level
Root Administrator
I think I may have figured this out.

CPHULK is configured to check for failed logins over a set period, and CSF was configured for 2 strikes on POP3, not 1.

If the hacker had a failed login, then went away for a while, CSF wouldn't pick him up.
If he came back for another attempt, again CSF wouldn't detect him.
He could do this 4 times before CPHulk picked him up.
 

CrazyforLinux

Registered
Jun 6, 2017
4
0
1
Ahmedabad
cPanel Access Level
Root Administrator
Hello Keat,

For your information, CPHULK is used for brute-force detection and failed login blocking and CSF is prepared with advanced options. The CSF will automatically detects DOS Attacks, DDOS Attacks as well as Brute-force detection and failed login attempts.